remcos | dd65dd8dc6a7e07a80cef5710ea026d0a3dc0e4e3657111b82acbf65ffd845b6

General

Target

NEW ORDER- 4788467.exe
Size

908KB
MD5

1cb86400147c835af58017f0474c5bcc
SHA1

ac285cb623bf292341068dead954cfed9a1f8c81
SHA256

c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61
SHA512

ce74f39d092b13570f9387e5d43ced748dea9557e8887fc072694a2cf448b2c4cf741db3e76d551ebef3511b906ae1cbe0fe670f8968e51d1441982ec73b9b0c
SSDEEP

24576:Nqho7Y33wd4D5N4UmVFruPkMKXbY31qKblvh:y1Hwd4FN4UoFqjKXboTp5

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

206.189.218.238:4782

206.189.218.238:2286

206.189.218.238:3363

206.189.218.238:3386

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NJK093
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2732 powershell.exe
2672 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

remcos.exeremcos.exeremcos.exe

pid process

2644 remcos.exe
1984 remcos.exe
1760 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

NEW ORDER- 4788467.exe

pid process

2692 NEW ORDER- 4788467.exe

pid	process
2732	powershell.exe
2672	powershell.exe

pid	process
2644	remcos.exe
1984	remcos.exe
1760	remcos.exe

pid	process
2692	NEW ORDER- 4788467.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEW ORDER- 4788467.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-NJK093 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	NEW ORDER- 4788467.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-NJK093 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-NJK093 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-NJK093 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	NEW ORDER- 4788467.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

NEW ORDER- 4788467.exeremcos.exe

description	pid	process	target process
PID 1924 set thread context of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 2644 set thread context of 1760	2644	remcos.exe	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

remcos.exeNEW ORDER- 4788467.exepowershell.exeschtasks.exeNEW ORDER- 4788467.exeremcos.exepowershell.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NEW ORDER- 4788467.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NEW ORDER- 4788467.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2840 schtasks.exe
1852 schtasks.exe

pid	process
2840	schtasks.exe
1852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

NEW ORDER- 4788467.exepowershell.exeremcos.exepowershell.exe

pid	process
1924	NEW ORDER- 4788467.exe
1924	NEW ORDER- 4788467.exe
1924	NEW ORDER- 4788467.exe
2732	powershell.exe
2644	remcos.exe
2644	remcos.exe
2644	remcos.exe
2644	remcos.exe
2672	powershell.exe
2644	remcos.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

NEW ORDER- 4788467.exepowershell.exeremcos.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1924	NEW ORDER- 4788467.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2644	remcos.exe
Token: SeDebugPrivilege	2672	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

remcos.exe

pid process

1760 remcos.exe

pid	process
1760	remcos.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

NEW ORDER- 4788467.exeNEW ORDER- 4788467.exeremcos.exe

description	pid	process	target process
PID 1924 wrote to memory of 2732	1924	NEW ORDER- 4788467.exe	powershell.exe
PID 1924 wrote to memory of 2732	1924	NEW ORDER- 4788467.exe	powershell.exe
PID 1924 wrote to memory of 2732	1924	NEW ORDER- 4788467.exe	powershell.exe
PID 1924 wrote to memory of 2732	1924	NEW ORDER- 4788467.exe	powershell.exe
PID 1924 wrote to memory of 2840	1924	NEW ORDER- 4788467.exe	schtasks.exe
PID 1924 wrote to memory of 2840	1924	NEW ORDER- 4788467.exe	schtasks.exe
PID 1924 wrote to memory of 2840	1924	NEW ORDER- 4788467.exe	schtasks.exe
PID 1924 wrote to memory of 2840	1924	NEW ORDER- 4788467.exe	schtasks.exe
PID 1924 wrote to memory of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 1924 wrote to memory of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 1924 wrote to memory of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 1924 wrote to memory of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 1924 wrote to memory of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 1924 wrote to memory of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 1924 wrote to memory of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 1924 wrote to memory of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 1924 wrote to memory of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 1924 wrote to memory of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 1924 wrote to memory of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 1924 wrote to memory of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 1924 wrote to memory of 2692	1924	NEW ORDER- 4788467.exe	NEW ORDER- 4788467.exe
PID 2692 wrote to memory of 2644	2692	NEW ORDER- 4788467.exe	remcos.exe
PID 2692 wrote to memory of 2644	2692	NEW ORDER- 4788467.exe	remcos.exe
PID 2692 wrote to memory of 2644	2692	NEW ORDER- 4788467.exe	remcos.exe
PID 2692 wrote to memory of 2644	2692	NEW ORDER- 4788467.exe	remcos.exe
PID 2644 wrote to memory of 2672	2644	remcos.exe	powershell.exe
PID 2644 wrote to memory of 2672	2644	remcos.exe	powershell.exe
PID 2644 wrote to memory of 2672	2644	remcos.exe	powershell.exe
PID 2644 wrote to memory of 2672	2644	remcos.exe	powershell.exe
PID 2644 wrote to memory of 1852	2644	remcos.exe	schtasks.exe
PID 2644 wrote to memory of 1852	2644	remcos.exe	schtasks.exe
PID 2644 wrote to memory of 1852	2644	remcos.exe	schtasks.exe
PID 2644 wrote to memory of 1852	2644	remcos.exe	schtasks.exe
PID 2644 wrote to memory of 1984	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1984	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1984	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1984	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1760	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1760	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1760	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1760	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1760	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1760	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1760	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1760	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1760	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1760	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1760	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1760	2644	remcos.exe	remcos.exe
PID 2644 wrote to memory of 1760	2644	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\NEW ORDER- 4788467.exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER- 4788467.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mWrixkEbVc.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mWrixkEbVc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F87.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\NEW ORDER- 4788467.exe
  "C:\Users\Admin\AppData\Local\Temp\NEW ORDER- 4788467.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mWrixkEbVc.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2672
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mWrixkEbVc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA3B.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1852
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      PID:1984
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat

Filesize
144B

MD5
a713e617957f433f71535334223bf2b3

SHA1
dea37cc31a2867921d30d526f149b5d0961f82f5

SHA256
a148f3efa6428a02ac72a26669d7f2e8900424620c1c350776c8e2cb8983c208

SHA512
362e0362a53030f7a92da792eb35ddbc16d9a29dc7302ee959cc4991590e344cbe4761292e9afcaee4df5c6fd433c3f4f049fb6bc1d0cfc9a33a2ba54d8fe58e

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
908KB

MD5
1cb86400147c835af58017f0474c5bcc

SHA1
ac285cb623bf292341068dead954cfed9a1f8c81

SHA256
c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61

SHA512
ce74f39d092b13570f9387e5d43ced748dea9557e8887fc072694a2cf448b2c4cf741db3e76d551ebef3511b906ae1cbe0fe670f8968e51d1441982ec73b9b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F87.tmp

Filesize
1KB

MD5
abc15484454019ecaeb722db08c2b855

SHA1
19a67b4e3742fc98b2554c07083f897e70e585e8

SHA256
1cb275fec1054d1faffe1e321d3d1297a3317ab7d10256eb56683424389cd884

SHA512
5b247693c38f0a45f4dcf0a5a9b374678d88bc5956e83e3127b4533bf5556780fea4f2f5882f4beb60617b7b0e70d16836c876b3577d5688f1f40646076dc539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
80f11056fa76bb2f66d3f71cb47fba74

SHA1
12cc7a69280856fe77e32b27d73433fcbbe05612

SHA256
97bb40a340f05e20caddd0ae5fb497c8e696967c768cb9489b6878808f5f68b3

SHA512
05301e7b21a19038dc74e0b9eb1100d548ec5509ffb43ffb42a3d7de0a2d804a65a7fffe22b13df2dabba7812dab6246381eac97f0cd0c886f1d3994f6b78096

Download Submit
memory/1760-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1760-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1760-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1760-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1760-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1760-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1760-102-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1760-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1760-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1760-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1924-3-0x00000000740FE000-0x00000000740FF000-memory.dmp

Filesize
4KB

Download
memory/1924-5-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/1924-0-0x00000000740FE000-0x00000000740FF000-memory.dmp

Filesize
4KB

Download
memory/1924-4-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/1924-6-0x00000000050A0000-0x0000000005164000-memory.dmp

Filesize
784KB

Download
memory/1924-2-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/1924-34-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/1924-1-0x0000000000910000-0x00000000009FA000-memory.dmp

Filesize
936KB

Download
memory/2644-41-0x00000000008B0000-0x000000000099A000-memory.dmp

Filesize
936KB

Download
memory/2644-42-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2644-43-0x0000000004EE0000-0x0000000004FA4000-memory.dmp

Filesize
784KB

Download
memory/2692-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2692-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2692-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2692-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2692-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2692-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2692-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2692-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2692-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2692-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads